Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
You have identified potential solutions for all of your risks that do not have security controls. What is the NEXT step?

• A.Screen potential vendor solutions
• B.Verify that the cost of mitigation is less than the risk
• C.Get approval from the board of directors
• D.Create a risk metrics for all unmitigated risks

Comment: *

Name: *

Email: *

Verification: *

When analyzing and forecasting a capital expense budget what are not included?

• A.Upgrade of mainframe
• B.New datacenter to operate from
• C.Purchase of new mobile devices to improve operations
• D.Network connectivity costs

Comment: *

Name: *

Email: *

Verification: *

SCENARIO: A CISO has several two-factor authentication systems under review and selects the one that is most sufficient and least costly. The implementation project planning is completed and the teams are ready to implement the solution. The CISO then discovers that the product it is not as scalable as originally thought and will not fit the organization's needs.
What is the MOST logical course of action the CISO should take?

• A.Review the original solution set to determine if another system would fit the organization's risk appetite and budget regulatory compliance requirements
• B.Continue with the project until the scalability issue is validated by others, such as an auditor or third party assessor
• C.Continue with the implementation and submit change requests to the vendor in order to ensure required functionality will be provided when needed
• D.Cancel the project if the business need was based on internal requirements versus regulatory compliance requirements

Comment: *

Name: *

Email: *

Verification: *

According to ISO 27001, of the steps for establishing an Information Security Governance program listed below, which comes first?

• A.Decide how to manage risk
• B.Define the budget of the Information Security Management System
• C.Identify threats, risks, impacts and vulnerabilities
• D.Define Information Security Policy

Comment: *

Name: *

Email: *

Verification: *

Scenario: As you begin to develop the program for your organization, you assess the corporate culture and determine that there is a pervasive opinion that the security program only slows things down and limits the performance of the "real workers." What must you do first in order to shift the prevailing opinion and reshape corporate culture to understand the value of information security to the organization?

• A.Cite corporate policy and insist on compliance with audit findings
• B.Understand the business and focus your efforts on enabling operations securely
• C.Cite compliance with laws, statutes, and regulations - explaining the financial implications for the company for non-compliance
• D.Draw from your experience and recount stories of how other companies have been compromised

Comment: *

Name: *

Email: *

Verification: *